Описание
Gradio has SSRF via Malicious proxy_url Injection in gr.load() Config Processing
Summary
A Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses gr.load() to load an attacker-controlled Space, the malicious proxy_url from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure.
Details
The vulnerability exists in Gradio's config processing flow when loading external Spaces:
-
Config Fetching (
gradio/external.py:630):gr.load()callsBlocks.from_config()which fetches and processes the remote Space's configuration. -
Proxy URL Trust (
gradio/blocks.py:1231-1233): Theproxy_urlfrom the untrusted config is added directly toself.proxy_urls:if config.get("proxy_url"): self.proxy_urls.add(config["proxy_url"]) -
Built-in Proxy Route (
gradio/routes.py:1029-1031): Every Gradio app automatically exposes a/proxy={url_path}endpoint:@router.get("/proxy={url_path:path}", dependencies=[Depends(login_check)]) async def reverse_proxy(url_path: str): -
Host-based Validation (
gradio/routes.py:365-368): The validation only checks if the URL's host matches any trustedproxy_urlhost:is_safe_url = any( url.host == httpx.URL(root).host for root in self.blocks.proxy_urls )
An attacker can set proxy_url to http://169.254.169.254/ (AWS metadata) or any internal service, and the victim's server will proxy requests to those endpoints.
PoC
Full PoC: https://gist.github.com/logicx24/8d4c1aaa4e70f85d0d0fba06a463f2d6
1. Attacker creates a malicious Gradio Space that returns this config:
2. Victim loads the malicious Space:
3. Attacker exploits the proxy:
Impact
Who is impacted:
- Any Gradio application that uses
gr.load()to load external/untrusted Spaces - HuggingFace Spaces that compose or embed other Spaces
- Enterprise deployments where Gradio apps have access to internal networks
Attack scenarios:
- Cloud credential theft: Access AWS/GCP/Azure metadata endpoints to steal IAM credentials
- Internal service access: Reach databases, admin panels, and APIs on private networks
- Network reconnaissance: Map internal infrastructure through the victim
- Data exfiltration: Access sensitive internal APIs and services
Пакеты
gradio
< 6.6.0
6.6.0
Связанные уязвимости
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure. Version 6.6.0 fixes the issue.